Hackers found way to abuse url shortening tool bitly in novelty way. Public API key for bitly misused to redirect users to fake news site.

Published: Wed, 23 Jul 2014 by Rad

One of the best known URL shortening services bitly (Motto: The power of the link) has been affected by bug which enabled malicious party to redirect users to fake news website. The attack abused the company’s publicly available Bitly application program interface (API) key to create custom URL shorteners for redirecting victims, the researchers said.

A URL redirection flaw on the NBC News website could be used by scammers to give links a false sense of added trust. This is in addition to ongoing abuse of MSNBC's publicly available Bitly API key, which is being used in an active spam campaign. In fact on the NBC News website, logout page has an open redirect that can be used to point someone anywhere.

In case when redirection URL is added to bitly, the long, messy looking URL becomes translated to something cleaner easily trusted at first glance

In this attack, the Bitly API key was publicly available and misused by the spammers to redirect from "hxxp://on.msnbc.com/" through a four-step redirection chain. Most users would never suspect that a URL shortener of a household brand, such as MSNBC, would be abused by cybercriminals.

Carl Leonard, senior manager, security research, at Websense

Disclaimer

This was fixed directly by bitly on 21st July and redirection loop was closed.